Subject: | Fwd: "Vulnerability" in Perl in the news |
Date: | Wed, 13 Dec 2017 11:16:55 -0800 |
To: | bug-ExtUtils-ParseXS [...] rt.cpan.org |
From: | Karen Etheridge <perl [...] froods.org> |
Show quoted text
---------- Forwarded message ----------
From: Dave Rolsky <autarch@urth.org>
Date: Sun, Dec 10, 2017 at 11:31 AM
Subject: "Vulnerability" in Perl in the news
To: perl5-porters@perl.org
I use the word "vulnerability" in quotes, because press releases to the
contrary, I'm not convinced there's anything exploitable here. However,
this is getting reported as a "severe vulnerability" by websites for
reasons I don't understand. No one will be surprised that this was some
conference-driven research with the hype that unfortunately accompanies it.
Anyway, here's a link to the paper - https://www.blackhat.com/
docs/eu-17/materials/eu-17-Arnaboldi-Exposing-Hidden-
Exploitable-Behaviors-In-Programming-Languages-Using-
Differential-Fuzzing-wp.pdf
The one thing listed for Perl is that the ExtUtils::Typemaps::Cmd module's
embeddable_typemap sub will eval anything you pass it in an attempt to load
a module based on the strings it gets.
This would only be a vulnerability if you wrote code that accepted
arbitrary user input and passed it to that sub. But it's hard to imagine a
case where that would happen.
So I'd consider this a theoretical vulnerability at best. That said,
patching this module to do some basic validation of the passed strings
isn't a terrible idea.
Cheers,
Dave Rolsky
http://blog.urth.org
https://github.com/autarch